Threat Research

FlipSwitch: a Novel Syscall Hooking Technique

Elastic.co
FlipSwitch: a Novel Syscall Hooking Technique

Linux kernel 6.9 replaced the old sys_call_table direct dispatch with a switch-statement-based dispatcher, rendering traditional syscall hooking ineffective. The FlipSwitch technique bypasses this by locating the unique call instruction in x64_sys_call that targets an original syscall (e.g., sys_kill), disabling write protection, and patching the call offset to redirect execution to a malicious handler before restoring changes on unload. #FlipSwitch #x64_sys_call

Keypoints

  • Linux kernel 6.9 moved syscall dispatch from a direct sys_call_table lookup to a switch-statement-based x64_sys_call dispatcher, breaking traditional function-pointer overwrite hooks.
  • The sys_call_table still exists for compatibility but is no longer used for actual syscall dispatch, so modifying it has no effect on syscall flow.
  • FlipSwitch locates the original syscall function address (e.g., sys_kill) using mechanisms like kallsyms_lookup_name, often retrieved indirectly via kprobes.
  • The technique scans the compiled machine code of x64_sys_call for a unique call (0xe8 + 4-byte offset) that points to the original syscall and uses that location as the insertion point.
  • FlipSwitch disables CPU write protection (CR0 WP bit) in kernel context to patch the 4-byte relative offset of the call instruction, redirecting execution to a fake syscall handler.
  • The modification is minimal and precise (patching a single call offset) and is reverted when the module is unloaded to minimize forensic traces.
  • Elastic Security published YARA rules to detect the FlipSwitch proof-of-concept, providing signature-based detection for the rootkit PoC.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – Using kprobes and exported kernel symbols like kallsyms_lookup_name to locate and invoke kernel functions (“kallsyms_lookup_name(“sys_kill”) to obtain the address of the sys_kill function”).
  • [T1543] Create or Modify System Process – Modifying kernel syscall dispatch by patching x64_sys_call’s call instruction to redirect a syscall to attacker-controlled code (“overwrite the 4-byte offset of the call instruction with a new offset that points to our own fake_kill function”).
  • [T1609] Disable or Modify Security Tools – Temporarily clearing the CR0 write-protect bit to permit writing to read-only kernel memory (“clear_bit(16, &cr0); write_cr0_forced(cr0);”).
  • [T1204] User Execution – (PoC context) Leveraging a loadable kernel module to execute code in kernel context to perform the patching and hooking actions (“we are already executing within the kernel (ring 0) … disable write protection … modify the kernel’s memory”).
  • [T1036] Masquerading – Reverting changes on module unload to reduce traces and blend with normal kernel behavior (“all changes are fully reverted when the kernel module is unloaded, leaving no trace of its presence”).

Indicators of Compromise

  • [File/Rule] YARA rule signature – Elastic Security YARA rule Linux_Rootkit_Flipswitch_821f3c9e (contains multiple byte-pattern strings such as FF FF 48 89 45 E8 F0 80 … and other patterns) – useful to detect the FlipSwitch PoC on disk or in memory.
  • [Function Names] Kernel symbols used as targets or lookups – sys_kill, x64_sys_call, kallsyms_lookup_name – referenced as lookups or patch targets in the technique.

Read more: https://www.elastic.co/security-labs/flipswitch-linux-rootkit

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint